On the same day when the Supreme Court said that privacy is a fundamental right, the Reserve Bank of India (RBI) said that there is a need to adopt a rights-based approach to privacy while collecting financial data rather than the traditional consent-based approach.

“We therefore briefly discuss a potentially valuable new lens through which to consider the data privacy issue, considering the potential of a rights-based approach, which stands in contrast to the more standard consent-based approach that is widely prevalent,” the RBI noted in the report of the Household Finance Committee.

The RBI also said that committee examined whether the use of consent as the primary line of defense against privacy violation will actually ensure the protection of personal data in the context of modern technologies. “We note that technological advances such as machine learning and big data have changed the ways in which we process data and as a result, have made consent a less than effective tool to protect personal privacy” the report read.

The RBI also had an interesting observation of Scandinavian countries of Denmark, Norway and Sweden where vast amounts of granular household data are readily available.

“An analysis of the data protection regulations in those countries does not seem to indicate the existence of a more liberal approach on matters pertaining to personal privacy. Instead, it appears that confidence in State capacity to ensure privacy protection and trust in enforcement mechanisms inherent in the existing law offers enough safeguards to ensure the availability of large volumes of useable household data. In contrast, India lacks a formal legal framework for data protection,” it noted.

1. The rights-based approach

The RBI recommended an alternate system where a financial system is divided into:

  • Data subjects, in this case, households which generate financial information through transactions, savings etc.
  • Data controllers, i.e. financial firms, in this context, where they will be obliged to ensure that whenever they process data pertaining to subjects, they do so without violating the rights of any subjects.

In the rights-based model, the crucial difference lies in the presumption that the data controller, is more likely to be aware of the purposes to which the personal data will be put, than the data subject. Data controllers will be held liable for any harm caused to the data subject as a consequence of the breach of their rights. Where possible, the data controller should be required to either reset the record or to compensate the data subject to the full extent of any loss caused as a result of the breach of a right.

The model will require the creation of two new entities:

  • Intermediaries – The privacy law should create a class of technically skilled, learned intermediaries who will, on the behalf of data subjects, can review algorithms that process personal data and see if they are being processed in privacy neutral manner.
  • Data commissioner – Who will be responsible for redress of grievances as well as for the establishment of standards of accountability and transparency. They will also have to publish annual reports on privacy compliance in the country and will have to ensure that the standards are responsive to technology changes.

2. Rights data subjects are entitled to

  • The Right to Fair Treatment: The data subject has the right to be treated fairly and without bias when financial firms make a determination about them by processing any data.
  • The Right to Information: The data subject has the right to information about all data pertaining that is under the control of financial firms. They will also have the right to know what data has been put to as well as the persons whom the data has been shared with. They can also request financial firms to correct any errors or omissions in their data base.
  • The Right to Data Security: Data subject will have to be assured of the security of his data at all times. Any data pertaining to the data subject that under the control financial companies will be maintained in a secure environment and processed, used or transferred only using secure practices and procedures.
  • The Right Against Processing: Any data subject who does not want his data to be processed should have the right to stop the financial firm from processing his data. This right could be exercised in a granular fashion if data controllers present to subjects details of the manner in which the data is being processed by the data controller.

3. Types of harms a data controller might do

In the financial context, the rights-based approach to privacy could be defined as

  • Financial harm: This type of harm is caused when data is being transferred and causes direct OR indirect finacial harm. Indirect financial harm is defined as any harm that could be quantified in financial terms even if it does not directly result in financial loss.
  • Reputational harm: This is when there is a security breach or lapse in processing of data, and the data is used to impair the reputation of the subject which results in harm being caused to the reputation and social standing of the subject. “The data subject may find it hard to get a job, may be persecuted for criminal acts perpetrated in his name or otherwise shunned in society,” the RBI added.
  • Harm due to manipulation of Choice: This type of harm is caused when data about a subject is used in order to limit the choice available, whether in terms of the information they have access to or any products or services.
  • Harm due to Discrimination: This type of harm is caused when data is processed in such a manner as to unfairly discriminate against a subject in terms of the products or services that such data subject is entitled to.

When any type of harm occurs, the data contorller who is responsible must first remediate the harm caused. If remediation is not possible the data controller must be made liable to compensate for the harm caused.

In the event of a data breach, data controllers must issue a data breach notification (including with respect to suspected data breaches) within 24 hours of discovering that it has occurred.

In the event of harm caused as a result of improper processing, the data controller must be obliged immediately rectify the algorithm or other process that was the cause for the improper procession and shall notify all data subjects who might have been affected as a result.

“Since modern databases are inter-connected with each other, it is possible that even without consciously transferring data, numerous data controllers have access to a given data set and therefore might have contributed to the harm caused to the data subject. In such event, where it is not possible to conclusively determine that the harm caused to the data subject is on account of a single data controller, all the data controllers who may have been responsible shall be made jointly and severally liable for the consequences,” the RBI added.